From 1e27a745f31e72cdbe42e122cad2b41125ee847b Mon Sep 17 00:00:00 2001 From: Clayton Casciato Date: Thu, 3 Apr 2025 17:11:37 -0600 Subject: [PATCH] refpolicy: unconfined - fix oddjob security_compute_sid Signed-off-by: Clayton Casciato Signed-off-by: Yi Zhao --- ...ystem-unconfined-fix-oddjob-security.patch | 58 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 59 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-system-unconfined-fix-oddjob-security.patch diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-unconfined-fix-oddjob-security.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-unconfined-fix-oddjob-security.patch new file mode 100644 index 0000000..33f5884 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-unconfined-fix-oddjob-security.patch @@ -0,0 +1,58 @@ +From ccdb93b7566c4e2492da20ec7a0c19691206703f Mon Sep 17 00:00:00 2001 +From: Clayton Casciato +Date: Mon, 3 Mar 2025 10:40:41 -0700 +Subject: [PATCH] unconfined: fix oddjob security_compute_sid + +type=PROCTITLE proctitle=mkhomedir_helper user123 0077 + +type=SYSCALL syscall=socket per=PER_LINUX success=yes exit=3 a0=local +a1=SOCK_STREAM a2=ip a3=0xbee9d8a8 items=0 ppid=404 pid=1386 auid=unset +uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root +fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe +exe=/usr/sbin/mkhomedir_helper +subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +key=(null) + +type=SELINUX_ERR op=security_compute_sid +invalid_context=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +tcontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +tclass=unix_stream_socket + +-- + +Similar problem and resolution: +https://github.com/SELinuxProject/refpolicy/pull/171 + +-- + +Fedora: +https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/roles/unconfineduser.te#L365 + +-- + +Reference: +https://github.com/SELinuxProject/selinux-notebook/blob/main/src/auditing.md#general-selinux-audit-events + +Signed-off-by: Clayton Casciato + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/bcb8e1d4dbff48477a9a8a7d215e32370c6e779b] + +Signed-off-by: Clayton Casciato +--- + policy/modules/system/unconfined.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index d54fe2fd4..a2f898551 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -157,7 +157,7 @@ optional_policy(` + ') + + optional_policy(` +- oddjob_domtrans_mkhomedir(unconfined_t) ++ oddjob_run_mkhomedir(unconfined_t, unconfined_r) + ') + + optional_policy(` diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index cd04ef5..bf9895f 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -74,6 +74,7 @@ SRC_URI += " \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ file://0057-policy-modules-system-authlogin-chkpwd_t-dac_read_se.patch \ file://0058-policy-modules-services-chronyd-allow_dac_read_searc.patch \ + file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \ " S = "${WORKDIR}/refpolicy"